American Express is notifying customers that their information was compromised in a data breach at a third-party services provider.
In a notification letter to the impacted customers, a copy of which was submitted to the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR), the company explains that the incident impacted account information of some card members.
“We became aware that a third-party service provider engaged by numerous merchants experienced unauthorized access to its system. It is important to note that American Express owned or controlled systems were not compromised by this incident,” the notification letter reads.
According to American Express, the compromised information includes names, current and previously issued card account numbers, and other card details, such as expiration dates.
The financial services company says it is “vigilantly monitoring” customer accounts for fraud and notes that the impacted individuals are not liable for fraudulent charges on their accounts.
The notification letter also includes a series of recommendations on how individuals can protect their personal and card information, but does not share details on how the incident occurred. It is unclear how many individuals were impacted by the data breach.
Massachusetts OCABR’s latest data breach report shows that American Express disclosed several third-party data breaches over the past several weeks, involving retailers and merchant processors. Credit or debit card numbers were compromised in every incident.
“The potential impact of the American Express data breach is not yet known, as it is unclear whether customers’ data was simply accessed or if it has been exfiltrated through the third-party provider. If the sensitive data of customers, including card numbers and expiration dates, has been exfiltrated by attackers, it can be used to not only make fraudulent purchases, but also to extort customers into further payments,” BlackFog CEO and founder Darren Williams said in an emailed comment.
Update: Responding to SecurityWeek, American Express provided the following statement:
“The incidents that you are inquiring about occurred at a merchant or merchant processor and was not an attack on American Express or an American Express service provider, as some media outlets have erroneously reported. Because customer data was impacted, American Express provided notice of the incidents to Massachusetts agencies and impacted customers who reside in Massachusetts.
American Express Card Members are not liable for fraudulent charges on their accounts. We have sophisticated monitoring systems and internal safeguards in place to help detect fraudulent and suspicious activity. If we see there is unusual activity that may be fraud, we will take protective actions.”
Related: Golden Corral Data Breach Impacts 180,000 Employees
Related: 230k Individuals Impacted by Data Breach at Australian Telco Tangerine
Related: Bank of America Customer Data Stolen in Data Breach